Customers use their credentials (username + password) to create access tokens (aka sessions). These sessions are by default time limited to expire one hour after their last use. Optionally at creation they can be given a longer or shorter expiration time or no expiration time at all. They can also be configured to a fixed expiration time regardless of how recently they have been used. Via the API customers can get a list of currently valid access tokens and delete ones that are not needed any more.